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Abstract 

. We give a new two- pass authentication scheme, which is a generahsation of an 

' authentication scheme of Sibert-Dehornoy-Girault based on the DifRe-Hehman 

conjugacy problem. Compared to the above scheme, for some parameters it 

{^J}' is more efficient with respect to multiplications. We sketch a proof that our 

^ , authentication scheme is secure. 
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1. Introduction 



In recent years various cryptographic protocols using infinite non-abelian 
groups have been proposed. For example the seminal algebraic key establish- 
ment protocol given in [1], and Artin's braid groups have been popular choices 
for such protocols. Braid groups are a popular choice because they are not too 
u. complicated to work with and they are more complicated than abelian groups. 

(/3 I In particular the conjugacy problem in braid groups is algorithmically difficult 

O ^ ■ and hence gives a one-way function. 

We give a new authentication scheme (by using equations (2) and (3) below 
PsJ ■ which form a main part of this paper), which is a generalisation of the authen- 

I tication scheme / of SDG (Sibert-Dehornoy-Girault) given in [10]. We do not 

claim that equations (2) and (3) are totally original; for example a simpler ver- 
sion of equation (3) is used in the authentication scheme in [T3]. In this paper 
i we refer to the authentication scheme / in [10] as the SDG scheme. Based on the 

proof of the SDG scheme given in [10] we sketch a proof that our new authen- 
■ tication scheme is a perfectly honest- verifier ZK interactive proof of knowledge 

I of the prover's secret. Two other provably secure schemes which are scheme II 

i and scheme III are given [10] and they differ from our authentication scheme 

because they are zero-knowledge in an theoretical infinite framework, and they 
are iterated three pass schemes. Other differences are that scheme // is based 
on different hard problems compared to our authentication scheme. We refer 
to [To] for further details of these schemes. Two related authentication schemes 
were proposed in [11] and it was shown in [12] one "authentication scheme" in 
[TTj is totally insecure and the other authentication scheme as shown in [T^] can 
be broken by solving a specialisation of the decomposition problem defined in 
[4] (see below). An authentication scheme is given in [14] which has security 
based on a generalisation of the discrete logarithm problem in non-abelian finite 
groups. The main difference of our authentication scheme from the authentica- 
tion scheme in [T3] and the unbroken scheme in [TT], [T^ is that it is based on 
our version of the Diflie-Hellman decomposition problem defined below. 

2. Hard Problems in Non- Abelian Groups 

We now define the following known hard problems. The notation [/, J] — 1 
(resp. [/, J] ^ 1) means that the subsets / and J of a semigroup G commute 
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(resp. do not commute). We may consider G = Bn (the braid group of index 
n) in the following known problems, because the problems are then hard and 
by hard we mean there is no known algorithm to solve the problem such that 
a cryptographic protocol based on the problem would be insecure for practical 
use. When G = Bn then WLOG the usual choices for A and B are the braid 
subgroups LBn and UBn (defined in section 3) as these are the choices that are 
used in [2] and [6] but the choices of A and B may be different. For our protocol 
to be secure at the very least G should be non-commutative. 

The DP (Decomposition Problem) j4j is defined as follows. 

Public Information: G is a semigroup, A is a subset of G. x,y d G with y — axb. 

Secret information: a,b G A. 

Objective: find elements f.g^A such that fxg — y. 

The definition of the DP above generalises the definition of a less general ver- 
sion of the DP given in [3] and [5]. The less general version only differs 
from the above definition of DP because G is a group and A is a subgroup. In 
our notation in all of this paper we omit the binary operation * when writing 
products so for example f * x * g is understood to mean fxg. We require that 
* is efficiently computable. 

The CSP (Conjugacy Search Problem) [T], [3] is defined as follows. 
Public Information: G is a group. x,y € G with y = f~^xf. 
Secret Information: f ^ G. 

Objective: find an element g & G such that g^^xg — y. 

The DH-DP (Diffic-Hcllman Decomposition Problem) [6], [3] is defined as fol- 
lows. 

Public Information: G is a group. A,B are subgroups of G with [A, _B] = 1. 

x,ya,yb & G with ya = axb, yi, = cxd. 

Secret Information: a, 6 e A, c, d G i?. 

Objective: find the element cyad{— ayt,b — acxbd). 

The DH-CP (DifHe-Hellman Conjugacy Problem) is the specialisation of the 
DH-DP [g with a = b'^ and c = d-^. 

We now re-define the DP and DH-DP above as used in our authentication 
scheme. In the rest of this paper below the DP and DH-DP will mean their 
re-definitions. 

The re-definition of the DP is as follows. 

Public Information: G is a semigroup. A, B are subsets of G. x,y € G with 
y = axb. 

Secret Information: a £ A, b G B . 

Objective: find elements f d A, g £ B such that fxg = y. 
The rc-dcfinition of the DH-DP is as follows. 

Public information: G is a semigroup. A, B, G, D are subsets of G. x, ya, yb & G 
with ya — axb, yt — cxd. 

Secret Information: aEA, bEB,cEC,dED. 
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Objective: find the element cyad (= ayhb ~ acxbd). So if we can find f £ A, 
g € B such that fxg = yaOTh€C,i(iD such that hxi = yb then this is 
sufiicient to break our schemes which have security based upon the DH-DP. 

A variant of the above re-definition of the DH-DP which we refer to as the 
DH-DP' on which the security of our variant protocols is based upon is as 
follows. 

Public information: G is a semigroup. A, B, C, D are subsets of G. x, ya, yb & G 
with ya = axb, yb = caxbd. 

Secret Information: a^A, b^B,c^C,d^D. {a,b have an inverse). 
Objective: find the element a~'^ybb~^{= cxd, ya = axb). So if we can find f E A, 
g£Bh£C,i^D such that hxi = cxd or f~^ybg~^ = cxd, fxg = ya then this 
is sufficient to break our schemes which have security based upon the DH-DP'. 

In all of this paper for our authentication scheme the DP, DH-DP and DH- 
DP' are considered with commutativity conditions such as (2) and (3) defined 
below. We assume the DP, DH-DP and DH-DP' are hard. The connection 
between the DH-DP and the DP is similar to the one between the Diffie-Hellman 
problem and the discrete logarithm problem. The DH-DP, DH-DP' is obviously 
reducible to the DP, but we assume that it is as hard for general G. Hence 
checking that the DP is hard for x is supposed to ensure that the DH-DP also 
is. 

The security of the modified key exchange protocol on page 2 of [1] is based 
on the DP with the additional condition that [A, B] — 1 and its security is also 
based on the DH-DP. 

3. The Sibert-Dehornoy-Girault Authentication Scheme 

All the details of implementation in braid groups for the SDG authentication 
scheme / are given in jlO] so we do not reproduce them all here; we restrict to the 
details we require. For n > 2, J5„ is defined to be the group with the presentation 
with n — 1 generators (plus the identity e), denoted at for i — 1,2, ...,n — 1 and 
the defining relationships 

CTiO-j = (TjCTi \i - j| > 1 (1) 

atCTjai = a-jO-iO-j \i - j| = 1 

We refer the reader to any textbook about braids, for instance [13]; each element 
of B„ has the geometrical interpretation by an n-strand braid in the usual sense. 
This geometrical interpretation is that any n-strand braid diagram can be first 
sliced into a concatenation of elementary diagrams with one crossing each and 
then each elementary diagram can be used to give an encoding of the braid 
diagram as a word in one of the letters at or cr~^. Oi is used for the diagram 
where the ith strand crosses under the {i + 1) st one, and ct~^ is used for the 
diagram where the «th strand crosses over the (i -I- l)st one. 

LBn and U Bn are the two commuting subgroups of Bn generated by the 
Artin generators tri, (T[„/2J -i and CT[„/2J : CTn-i (TOl. The SDG authenti- 
cation is as follows. Following we require that the DH-CP and CSP are 
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hard in G as the security of the authentication is based on these problems, let 
G = Bn, LBn, B = UBn in the DH-CP and CSP. Let G' be a non-abehan 
group, let w G G be a publicly known word which has a secret word as one of its 
factors (an attacker may attempt to recover this secret word from w), let 5 be a 
function which maps w to an equivalent word, S is called a scrambling function, 
the security of the protocol is based on the difficulty of recovering the above 
secret word from the word S(w) [lOj . A choice for the scrambling function can 
be a normal form for w |10| . All braids are expressed in rewritten form using 
the scrambling function such that the DH-CP and CSP are hard. 

• Phase 1. Key generation 
i) Choose a public b G 

ii^ yl.(lice) chooses a secret braid s E LBn, her private key; she publishes 
b ~ sbs~^; the pair (6, 5 ) is the public key. 

• Phase 2. Authentication phase 

i) i?(ob) chooses r € UB^ and sends the challenge t = rbr^^ to A. 

ii) A sends the response y = h{sts^^) to B, and B checks y — h(rb r~^). 

ft, is a fixed collision- free hash function from braids to sequences of O's and 
I's or, possibly, to braids, for which this choice for h, G must have an efficient 
solution for the word problem for use in phase 2ii). 

A proof that the above authentication scheme is a perfectly honest- verifier 
ZK interactive proof of knowledge of s is given in IQI. There is a linear algebraic 
algorithm to solve the DH-CP but the attack is not efficient enough to break 
the public-key cryptosystem with the proposed parameters of [2] in real time [6] . 
The SDG scheme has a similar structure to the public-key cryptosystem in [5] 
because both algorithms are based on the DH-CP. Hence the parameters of the 
SDG scheme are based on considerations of the parameters of the above public- 
key cryptosystem [lOi . Hence parameters can be chosen for the SDG scheme so 
that it cannot be broken in real time by using the attack on the DH-CP in [6]. 

4. New Authentication Scheme 

The new authentication scheme is as follows. Let G be a (infinite or finite) 
non-commutative semigroup. We define the scrambling function as in the SDG 
scheme, for our scheme, but with the modification that it is defined over the 
semigroup G instead of only a group. All elements in G in this section are 
rewritten using the scrambling function and parameters are chosen such that 
the DH-DP and DP are hard, as the security of our authentication scheme is 
based on these problems. 

• Phase 0. Initial setup 

i) G is chosen and is publicly known. The users publicly agree on which 
method first, second or third (described below) will be used to select the 
subsets and publicly agree on which of the commutativity conditions (2) 
or (3) will be used. 

A first method to select the parameters is to select publicly known subsets 
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La^ Lb, Ra, Rb and Z ofG are chosen for which either property a) below 
is true or property b) below is true. Let z G Z with z the publicly known 
element which is the value of x in the definition of the DH-DP used in the 
example of the DH-DP in our new authentication scheme. 
Following [5] let g G G for G a group, Ccig) is the centraliser of 
we describe the modifications to the authentication scheme (and these 
apply to the key agreement protocol described below) to give two further 
methods to select the subgroups as follows. Publicly known subsets or 
privately known La, Lb, Ra, Rb and Z of G are chosen for which either 
property 2) below is true or property 3) below for the second and third 
methods below. 

Using the above first method the security of the protocol is based on the 
DH-DP. We now give the two further methods to select the subsets which result 
in two modifications to the protocol when the first method is used. The second 
method to select the subgroups is A chooses (ai, 02) & G xG and pubHshes the 
subgroups as a set of generators of the centralisers Lb, Rb, Lb Q Cc{ai), Rb '!= 
Cg{o,2), Lb = {oil, ■■■,oik\ etc. B chooses (&i,62) £ Lb x Rb, and hence can 
compute X below etc. Following [5] there is no explicit indication of where 
to select ai,bi and/or 02,62 from. Hence before attempting something like a 
length based attack in this case the attacker has to compute the centraliser of 
Lb and/or Rb- 

So a third method (this method is given for the key agreement protocol in 
[5] ) to select the subgroups is 

A chooses La = G, oi G G, and publishes Lb ^ CGifli), Lb = {ai, oik}, 
B chooses Lb = G,b2 & G, and publishes Ra Q CG{b2), Ra = {/?!, ■■■,(3^}, 
Hence A chooses (01,02) e G x Gg(62) and publishes the subgroup(s) as a 
set of generators of the centralisers B chooses (61, 62) £ Gciai) x G, and hence 
can compute x etc. Again there is no explicit indication of where to select Oi 
and/or 62 from. Hence before attempting a length based attack in this case the 
attacker has to compute the centraliser of and/or Rb- 

The above three methods are examples of the following method, in general 
if a user A or B selects an element Ui or hi respectively as their secret element 
(which multiplies the public element z at the left WLOG) key then the other 
user selects an element of the Gcicii) or Caibi) respectively as their secret key 
for the corresponding secret commuting element to left multiply WLOG, and 
in general an attacker has no explicit indication of where to select ai and/or bi 
from. A potential disadvantage of using the above third method to select the 
subgroups is one user chooses the other users subgroups and this may aid the 
user who has selected the subgroup to find the others users secret key, and this 
secret key may be of use in say another attack. Hence before attempting a length 
based attack in this case the attacker has to compute the centraliser of Cciai) 
and/or Caibi)- Note if the subgroups are selected in this in the second or third 
way (using centraliser computations) then its security is based on a variant of 
the DP, DH-DP and the difficulty of computing centralisers, for example if the 
third method above is used to select the subsets then following the attack given 
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in [S] the security of the protocol to find A or B's private key may be found as 
follows 



Attack on ^'s Key. Find an element a[ which commutes with every element 
of the subgroup Lb and an element a'2 & Rb such that z' = al^za!^ where 0^202 
above may be rewritten using a normal form. The pair {oIyio!-}) is equivalent to 
the pair (01,02), because a'^zaj = 01^02 this means an attacker can authenti- 
cate as Alice. The attack applies to the key exchange protocol below with the 
modification Ka = o^-yZo^i instead of z' = a'^za^ this gives a equivalent secret 
key for A used to get the common secret key. 

Attack on i3's Key in the key exchange protocol in the section below. Find 
an element h'2 which commutes with every element of the subgroup Ra and an 
element b'l S Lb such that Kb = b'izb'2 where a'iza'2 above may be rewritten 
using a normal form. The pair 63) is equivalent to the pair (61, ^2), because 
b'izb'2 = bizb2 this means an attacker can find the common secret key when this 
set up is used as part of a key exchange algorithm as described below. 

Then (following [5]) the most obvious way to recover Bob private key (the 
attack for A is similar) 

Bl. Compute the centraHser of Ra,Ra Q Cg(^2)- 

B2. Solve the search version of the membership problem in the double coset 



So for the protocol to be secure we want both the above problems to be 
computationally hard, for the problem B2 to be hard it is required the centraliser 
CaiLA) should be large enough to resist a brute force attack. The key exchange 
protocol in section 5 has security based upon the above problem. The above 
attack can be used to attack the authentication scheme or recover B's secret 
elements with the modification x = b'iz'b'2 instead of Kb — b'izb'2 {x is used 
instead of Kb and z' is used instead of z etc.). 

The attacks above are considered with commutativity condition for the DH- 
DP such as (2) and (3) below. A similar attack is discussed when the second 
method is used to choose the subsets. Hence the platform group G should satisfy 
the requirements given in the security analysis in section 6. 

a) If z 7^ e we require the following conditions 



All the above conditions for z ^ e can arise by generalising from properties of 
subgroups used in either the SDG scheme or CKLHC scheme for example the 
second and third conditions in (2) arise from the observations that in general 



<Lb> -z- Cg{Ra)- 



[La, Lb] — 1, 

[Rb,Z] ^ 1, 
[La, Ra] 1: 



[Ra, Rb] = 1, 
[La,Z]^1, 
[Ra,Z] ^ 1, 
[Lb,Rb] + 1. 



(2) 



[LBn,Bn] + l,[LBn,UBn] = 1. 
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b) If = e we require the following conditions 

[La,Lb] = 1. [Ra,Rb] = 1, (3) 

We were unable to show that the DH-DP using conditions (2) or (3) was easy. 
Hence we assume that the DH-DP is hard with condition with the above con- 
ditions. Note condition (3) is condition (2) but with conditions of the form of a 
subset not commuting with Z omitted (because z = e) and the additional condi- 
tions [Lb,Ra] 7^ 1, [La,Rb] 7^ 1. The above additional conditions are required 
so the DH-DP is not easy and hence our authentication scheme is secure. 

• Phase 1. Key generation 

i) Choose a public z G Z. 

ii) A chooses secret elements ai S L^, 02 € Ra, her private key; she 
publishes z = aiza2; the pair {z, z ) is the public key. 

• Phase 2. Authentication phase 

i) B chooses hi Lb. b2 E Rb and sends the challenge x = 61262 to A. 

ii) A sends the response w = H{aixa2) to B, and B checks w = H(biz 62). 

H is a. fixed collision-free hash function from elements of G to sequences of 
s and 1 s or, possibly, to elements of G, for which this choice of H, G must 
have an efficient solution for the word problem for use in phase 2ii) 

Proposition 4.1 

Our Authentication Scheme is a perfectly honest-verifier ZK interactive proof 

of knowledge of ai and 02. 

Proof. (Sketch) Completeness. Assume that, at step 2(ii) w is sent by A. Then 
B accepts ^'s key if and only if m; = H{biz 62) which is equivalent to 

w' = if (61 (012:02)62). (4) 

By hypothesis ai G La, 02 G Ra, 61 € Lb, 62 G Rb, so 6iai = 0161,6202 = 
0262 holds and (4) is equivalent to w = ii(oi (61262)02) i.e. w = w. 

Soundness. Assume cheater A is accepted with non-negligible probability. 
This means A can compute H{biz 62) with non-negligible probability. Since 
H is supposed to be an ideal hash function, this means that A can compute 
the element q satisfying H{q) = H{biz 62) with non-negligible probability and 
this is because of two possibilities. The first possibility is that 5 = 6iz 62 which 
contradicts the hypothesis that the DH-DP is hard. The second possibility is 
g 7^ 61 2 62 which means that A and B are able to find a collision for H which 
contradicts that H is a collision free hash function. 

Honest-verifier zero knowledge. Consider the probabilistic Turing machine 
defined as follows: it chooses random elements 61 and 62 using the same drawing 
as the honest verifier, and outputs the instances (61, 62, i?(6i2 62)). So the 



7 



instances generated by this simulator follow the same probability distribution 

as the ones generated by the interactive pair (^4, B). □ 

4.1 Comparison of Oiu' Authentication Scheme with the 
Sibort-Dclioriioy-Girault Authentication Scheme 

The generalisation (not the variants) specialises to the SDG scheme (hence 
our authentication scheme can be as secure as the SDG authentication scheme) 
with the parameters H = h, G = Bn, Z = La = Ra = LBn, Lb = Rb = 
UBn, bi = r, 62 = r~^, ai = s, a2 = s~^, z = b, z = b , x = t , w = y, the first 
method is used to select the subsets and conditions (2) (or property a) is true) 
are used. 

li z = e then this implies the following. Condition (3) do not allow the 

subgroups used in the SDG scheme to be used in our authentication scheme, 
because if these subgroups are used as the incorrect choices for La, Lb, Ra 
and Rb in our authentication scheme then it is easy to see the DH-DP is easy 
and hence our authentication scheme is insecure. There is more control of the 
public parameters (the choices of the subsets) compared to the SDG scheme 
and this may be useful for selecting secure public keys. Compared to the SDG 
scheme, potentially our authentication scheme requires less memory and fewer 
multiplications to compute the challenge of B and the public key of A. This 
is because the identity element may take little memory (compared to 6 7^ e) to 
represent depending on the representation of G. Alternatively we can omit the 
implementation of using Z completely because x and z can be computed using 
two multiplications. 

4.2 A Variant of the Authentication Scheme 

A variant of the above authentication scheme is as follows 

• Phase 0. Initial Setup. The phase is the same as phase of the authen- 
tication scheme in section 4. 

• Phase 1. Key generation 

i) Choose a public z €: Z. 

ii) A chooses (invertible) secret elements oi <E La, 0,2 G Ra, her private 
key; she publishes z ~ aiza2', the pair (z, 2; ) is the public key. 

• Phase 2. Authentication phase 

i) B chooses h\ G Lb, 62 S Rb and sends the challenge x = b\z' h2 to A. 

ii) A sends the response w = _ff (aj"^a;a^^) to B, and B checks w = 
H{h\zh2), if the check is true he accepts if the check is false he rejects. 

-ff is a fixed collision-free hash function from elements of G to sequences of 
s and 1 s or, possibly, to elements of G, for which this choice of H , G must 
have an efficient solution for the word problem for use in phase 2ii). The above 
variant authentication scheme has security based on the DH-DP'. 
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The above variant authentication scheme speciahses to the authentication 
scheme in [M]. The above variant protocol speciahses to the authentication 
scheme in [Tl] with the parameters, conditions (3) are used, G a finite non- 
abehan group. Bob is user B in our protocol, Alice is user A in our protocol 
z = identity element, La,Rb are publicly known and is generated by a, Rb 
is generated by b, Lb — La,Rb — Ra B selects the secret element which is 
depends on the secret exponents < r < ni,0 < s < 712, a"^ £ LA^b'^ G -Rb, 
A selects the secret element which is depends on the secret exponents Q < v < 
711,0 < w < 712, a" G LA,b'^ £ Rb, so the common secret key is 2; = a^fo™, 
where the notation e, /,is used in [H] , 

5. New Key Agreement Protocol 

The setup for the authentication protocols in the above section can be used 
for key agreement as follows. 

• Phase 0. Initial Setup. The phase is the same as phase of the authen- 
tication scheme in section 4. 

• Choose z £ G. Phase 1. 

ii) ^(lice) chooses a secret elements ai e La, 02 G Ra, her private key; 
she publishes Ka — 01^02; the pair (z, Ka) is the public key. 

i) B{oh) chooses a secret elements bi e Lb, b2 £ Rb, ber private key; she 
publishes Kb = bizb^; the pair {z, Kb) is the pubhc key. 

iii) A and B can compute the common shared secret key k as k — aiKBa2 
and K ~ biKAb2 respectively. Optionally the alternative computation 
K ~ h{aiKBa2) and k = h{biKAb2) can be done. 



h is a. fixed collision- free hash function from braids to sequences of O's and 
I's or, possibly, to braids, for which this choice for h. Again the above protocol 
is considered with the commutativity conditions 2 or 3. Note the elements Ka 
and Kb are rewritten for example a normal form to make the protocol secure. 

Because phase is the same as the authentication scheme again its security is 
based on a variant of the DP, DH-DP and the difficulty of computing centralisers. 

Our protocol specialises to the CKLHC protocol in [8J is the above protocol 
with the parameters G the braid group, A and B commuting defined by LBn 
and UBn are the two commuting subgroups of _B„ generated by the Artin gen- 
erators (Ti, cr L„/2j-i and (J[_n/2] , cr„_i, the first method in phase is used 
and the DH-DP uses the condition (2). The publicly transmitted information 
is rewritten using the left canonical form. The KLCHKP protocol [2J is the 
specialisation of the CKLHC protocol with 02 = a^^ and 62 = bi^ and hence 
our protocol generalises the KLCHKP protocol. 

Our protocol specialises to the key agreement protocol given on page two of 
[4] with the parameters La — Rb, Lb — Ra, [La, Lb] = 1, and commutativity 
condition (2), G is a semi-group or G is the Thompson group, the first method 
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in phase is used and hence our protocol generahse the protocol given in [i]. 
Using the notation used in [4j this is La = A, Lb = B, z = w. So the left and 
right secrets are taken from different subgroups the protocol. 

Our protocol specialises to the key agreement protocol given in when 
G is a group, A and B are subgroups in the parameters of the DH-DP, us- 
ing the third method in phase to select the subsets/ modify the key agree- 
ment protocol described above, commutativity condition 2, Lb Q Coiai), Lb = 
{«!, Q!fc}, Ra C Cg(62)j Ra = /Sfc}, Ka and Kb are rewritten using a 

normal form, using the notation given in [5] this is Ka = Pa, Kb ~ Pb,B = 
Lb,A = Ra- 

Hence we get new variants (which use less multiplications) of the protocols 
in J [5] J [2]j[S] if we consider the parameters that our key agreement protocol 
above specialises to the protocols above but using condition (3) instead of con- 
ditions (2), for example if we consider the second method in phase to modify 
the protocol with the parameters above to specialise, then compared to using 
the third method in phase the advantage of this protocol is that user A does 
not have to wait for B to select the subgroup and so for example can create the 
certificate to prove that the public key of A belongs to A. 

5.1 Variant of Key Exchange 

A variant of the key exchange is as follows 

The above setup can be used for key agreement as follows the details are as 
follows. 

• Phase 0. Initial Setup. The phase is the same as phase of the authen- 
tication scheme in section 4. 

• Choose z £ G. 

ii) A{\\ce) chooses a secret invertible elements ai G La, 0,2 G Ra, her 
private key; she publishes Ka — aiza2', the pair (z, Ka) is the public key. 
i) B{oh) chooses a secret braid 61 G Lb, &2 G Rb, bis private key; he 
publishes Kb = 61/0^2; the pair {Ka, Kb) is the public key. 

iii) A and B can compute the common shared secret key k as k = 
a^^ K Ba2^ and n = 61^62 respectively. Optionally the alternative compu- 
tation K = hia^"^ Kbo^^) and k, = h{biKAb2) can be done. 

h is a. fixed collision- free hash function from braids to sequences of O's and 
I's or, possibly, to braids, for which this choice for h. Again the above protocol 
is considered with the commutativity conditions 2 or 3. Note the elements Ka 
and Kb are rewritten for example a normal form to make the protocol secure. 

Again because phase is the same as the authentication scheme we have 
sketched its security is based on a variant of the DP, DH-DP' and/or the diffi- 
culty of computing ccntralisers. 

The above variant protocol specialises to the key exchange in ^ with the 
parameters, conditions (2) or (3) are used, G a finite non-abelian group. Bob is 
user B in our protocol, Alice is user A in our protocol, z = e. La is publicly 
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known and is generated by a, Rb is generated by b, Lb — La,Rb — Ra B 
selects the secret element which is depends on the secret exponents < r < 
ni, < s < n2, a'' e La, b" G Rb, A selects the secret element which is depends 
on the secret exponents < v < ni,0 < < 712, a" e LA,b^ e Rb, so the 
common secret key is k = / = a^b^ , where the notation e, / is used in [5]. 

5.1.1 Groups With No Efficient Normal Form 

If there is no efficient algorithm for a canonical form in G then the secret 
elements such as Alice's secret key must be disguised in another way such as 
using a scrambling function. The algorithm in [1] for when G is a group, and 
there is no efficient normal form in G but there is an efficient algorithm for the 
word problem in G, can be used to find a common shared secret key can be 
found as follows using the algorithm in [T] which is. Fix 6 as & = or 6 = 1. 

1. B sends a rewritten form of k which is r for r = k or a random word for 
r,r ^ K. 

2. User A checks if fc = r then this determines the bit b, otherwise the bit is 
1 - b. 

3. The steps 1 and 2 are repeated m times so an m bit key is exchanged. 
As stated in |T] the protocol is probabilistic and slower compared to using a 

canonical form. 

6. Security Analysis 

The attacks below are considered with commutativity condition for the DH- 
DP such as (2) and (3) below. 

6.1 Attacks When Second Method is used to Choose Subsets 
in Authentication Scheme and Key Exchange Scheme 

If the second method above is used to select the subsets then following the 
attack given in [5] the security of the protocol to find A or B's private key may 
be found as follows 

Attack on ^'s Key. Find an element a'l which commutes with every element 
of the subgroup Lb and an element a'2 (z Rb which commutes with every element 
of the subgroup Rb such that z' = a'iza'2 where a'iza'2 above may be rewritten 
using a normal form. The pair (a'l, a^) is equivalent to the pair (ai, a2), because 
a'iza'2 — aiza2 this means an attacker can authenticate as Alice. The attack 
applies to the key exchange protocol (when the second method is used to choose 
the subsets) with the modification Ka ~ a[za'2 instead of z' — a'iza2 this gives 
a equivalent secret key for A used to get the common secret key. 

Then (following [5]) the most obvious way to do the above attack Alice's 
private key 

Al. Compute the centraliser of Rb,Rb ^ ^0(02) and compute the cen- 
traliser of Lb, Lb C Cciai) 

A2. Solve the search version of the membership problem in the double coset 
< CaiLB) > -z- < Cg{Rb) >■ 
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So for the protocol to be secure we want both the above problems to be 
computationally hard, for the problem Al to be hard it is required both the 
centralisers Cg{Lb) and Cg{Rb) be large enough to resist a brute force type 
attack. The above attack can be used to attack the authentication scheme 
or recover A's secret elements with the modification z = a^za'^ instead of 
Ka — a'iza'2 iz' is used instead of Ka etc.) so this can be used to impersonate 
A. 

Attack on _B's Key in the key exchange protocol. Find an element h\ G Lb 
and an element b'2 G Rb such that Kb = where h'izh'2 above may be 

rewritten using a normal form. The pair {h'^, 62) is equivalent to the pair (61, 62), 
because b'izb'2 = &1Z&2 this means an attacker can find the common secret key 
when this set up is used as part of a key exchange algorithm as described below. 

Then (following [5]) the most obvious way to do the above attack, Bob 
private key 

Bl. Solve the search version of the membership problem in the double coset 
< Lb > -z- < Rb >■ 

So for the protocol to be secure we want the above problem to be compu- 
tationally hard, for the problem Bl to be hard it is required that the elements 
cannot oi Lb, Rb all be tested (for an equivalent key pair b[,b'2) so to resist 
a brute force attack the possible values for b[ , b'2 should be large enough. The 
above attack can be used to attack the authentication scheme or recover B's 
secret elements with the modification x' = b[z'b'2 instead of Kb — b[zb'2 {x' 
is used instead of Kb and z' is used instead of z etc.) so this can be used to 
impersonate A. 

6.2 Attack When Second Method is used to Choose Subsets in the 
Variant Authentication Scheme and Variant Key Exchange Scheme 

If the second method above is used to select the subsets then following variant 
of the attack given in [S] the security of the protocol to find A or B's private 
key may be found as follows 

Attack on ^'s Key. Find an element a'l which commutes with every element 
of the subgroup Lb and an element a'2 G Rb which commutes with every element 
of the subgroup Rb such that z' — a'iza'2 where a'iza'2 above may be rewritten 
using a normal form and a'^, a'2 are both invertible elements. 

The pair [a'l, a'2) is equivalent to the pair (ai, 02), because a'iza'2 = aiza2 this 
means an attacker can authenticate as Alice because the attacker can compute 
ai^xa2^- The above attack applies to the key exchange protocol with the 
modification Ka — a'iza'2 instead of z' = a'iza'2 this gives an equivalent secret 
key for A used to get the common secret key which can be computed as k = 
ai^KBa2^ ■ (Another attack call this attack B, is to find elements a'i,a'2 such 

that a'^^z'a'^^ = z , a']^,a2 can be used instead of 01,02 to get the common 
secret key, the attack is similar for the key agreement protocol with Ka used in 
place of z ) . 
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Then (following [5]) the most obvious way to do the above attack Alice's 
private key 

Al. Compute the centraliser of Rb,Rb ^ ^0(02) and compute the cen- 
traliser of Lb, Lb Q Cciai) 

A2. Solve the search version of the membership problem in the double coset 

< CaiLB) > -z- < Cg{Rb) > and/or < Cg{Lb) > -Kb- < Cg{Rb) > ■ 

(For attack B we do the search < Cg{Lb) > -z ■ < Cg{Rb) > there is a 
variant of attack B when the third method is used to choose the subsets doing 
a search of the form < Lb > -z ■ < Cg{Rb) >) So for the protocol to be secure 
we want both the above problems to be computationally hard, for the problem 
Al to be hard it is required both the centralisers Cg{Lb) and Cg{Rb) to be 
large to resist a brute force type attack. 

Attack on B's key in the key exchange protocol. Find an element h'^ € Lb 
and an element h'2 ^ Rb such that Kb = h'izb'2 where b'izh'2 above may be 
rewritten using a normal form. The pair {h\, h'2) is equivalent to the pair (61, 62), 
because b'izh'2 = &i-z&2 this means an attacker can find the common secret key 
when this set up is used as part of a key exchange algorithm as described below. 

Then (following [S]) the most obvious way to do the above attack, Bob 
private key 

Bl. Solve the search version of the membership problem in the double coset 

< Lb > -z- < Rb > and/or < Lb > -Ka- < Rb >■ 

So for the protocol to be secure we want the above problem to be compu- 
tationally hard, for the problem Bl to be hard it is required that the elements 
oi Lb,Rb cannot all be tested (for an equivalent key, pair &i,&2) so to resist a 
brute force attack. The above attack can be used to attack the authentication 
scheme or recover i?'s secret elements with the modification x = b'^z'b'2 instead 
of Kb = b'izb'2 {x' is used instead of Kb and z' is used instead of z etc.) so this 
can be used to impersonate A. 

6.3 Attack When Third Method is used to Choose Subsets in the 
Variant Authentication Scheme and Variant Key Exchange Scheme 

Attack on ^'s Key. Find an element a[ which commutes with every element 
of the subgroup Lb and an element a'2 & Rb such that z' — a'iza'2 where a'iza2 
above may be rewritten using a normal form and ai , 02 are both invertible 
elements. The pair (a']^,a2) is equivalent to the pair (01,02), because a'iza'2 = 
aiza2 this means an attacker can authenticate as Alice the attack applies to the 
key exchange protocol with the modification Ka — a'iza'2 instead of z' = a'iza'2 
is solved this gives a equivalent secret key for A used to get the common secret 
key by computing k — a'^^ K Ba'2^ ■ 

Then (following [5]) the most obvious way to do the above attack Alice's 
private key 

Al. Compute the centraliser of _Lyi,Lyi C CG(ai). 
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A2. Solve the search version of the membership problem in the double coset 
< Cg{La) > -z- < Ra> and/or < Cg{La) > -Kb- < Ra > ■ 

Attack on i?'s key in the key exchange protocol is below. Find an element 62 
which commutes with every element of the subgroup Ra and an element b[ <E Lb 
such that Kb = b'izh'2 where h'izh'2 above may be rewritten using a normal form. 
The pair (&'i,fe2) is equivalent to the pair (61,62), because h'izh'2 = 61262 this 
means an attacker can find the common secret key. 

Then (following [F) the most obvious way to recover Bob private key 

Bl. Compute the centraliser of Ra,Ra ^ Cg(^2)- 

B2. Solve the search version of the membership problem in the double coset 
<Lb> -z- Cg{Ra)- 

So for the protocol to be secure we want both the above problems to be 
computationally hard, for the problem B2 to be hard it is required the centraliser 
Cg{Ra) to be large enough to resist a brute force attack. The key exchange 
protocol in section 5 has security based upon the above problem. The above 
attack can be used to attack the authentication scheme or recover Ws secret 
elements with the modification x = b'iz'b'2 instead of Kb — b'izh'2 is solved {x 
is used instead of Kb and z' is used instead of z etc.) so this can be used to 
impersonate Alice. 

6.4 Requirements of the of Platform Group 

Hence the platform group G should satisfy at least the following properties 
in order for our key establishment protocol to be efficient and secure, we have 
taken the requirements from [5] so the properties are the same as given in [5] 
with the relevant modifications. At least one of property P7, P8, or P9 is true 
depending on the choice of protocol used. 

(PI) G should be a non-commutative group of at least exponential growth. 
The latter means that the number of elements of length n in G is at least 
exponential in n; this is needed to prevent attacks brute force type attacks on 
the key space. 

(P2) This property may be optional. There should be an efficiently com- 
putable normal form for elements of G. 

(P3) It should be computationally easy to perform group operations (multi- 
plication and inversion) on normal forms. 

(P4) It should be computationally easy to generate pairs (a, {ai, Ofc}) such 
that aai — ata for each i — 1, k. (Clearly, in this case the subgroup generated 
by ai, Ofe centralizes a). 

(P5) For a generic set {gi, ...,gk} of elements of G it should be difficult to 
compute C{gi, ...,5„) = C{gi) ("1 ... n C{gk)- 

(P6) This property may be optional. Even if H ~ C{gi, 5„) is computed, 
it should be hard to find x ^ H and y E Hi (where Hi is some fixed subgroup 
given by a generating set) such that xwy — w , i.e., to solve the membership 
search problem for a double coset. 

(P7) This property may be optional. Even if i7 = C{gi, ■■■,gn) is computed, 
and Hi — C{g'i, ...,g',j) [g' is a generator as usual) is computed and it should 
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be hard to find x G H and y € Hi such that xwy = w , i.e., to solve the 
membership search problem for a double coset. 

(P8) This property may be optional. Given H and Hi is some fixed sub- 
groups given by a generating sets, and it should be hard to find x e H and 
y G Hi such that xwy = w , i.e., to solve the membership search problem for a 
double coset. 

(P9)This property may be optional. Which is there should be an efficiently 
algorithm for the word problem in G. 

6.5 Braid groups 

We now consider braid groups as a possible platform group. Here we consider 
the properties (P1)-(P6) from the previous section. 

(PI) For n > 2, braid groups _B„ are non-commutative groups of exponential 
growth. 

(P2) There are several known normal forms for elements of B„, including 
Garside normal form (see [8]). The Garside normal form is efficiently com- 
putable. 

(P3) There are efficient algorithms to multiply or invert normal forms of 
elements of i?„ [H]. 

(P4) It is not so easy to compute the whole centralizer of an element g of 
G [S]. The number of steps required to compute Goig) is proportional the size 
of the SSS (super summit set) of g. Generally speaking the "super summit 
set" is not of polynomial size in n and the braid length. Nevertheless, there are 
approaches to finding "large parts" of Ccig), e.g. one can generate a sufficiently 
large part of SSS{g). 

(P5) For a generic subgroup A there is no efficient algorithm to compute 
Cg{A). 

(P6),(P7) and (P8) There is no known solution to the membership search 
problem for double cosets HwH' in braid groups. 

(P9) There are efhcient algorithms for the word problem in braid groups, 
such as the practical handle reduction algorithm for the word problem described 
in [in]. 

7. Conclusion 

We have presented new two-pass authentication schemes and key exchange 
protocols. This paper is a work in progress, because further work we plan to 
do for our authentication scheme is to investigate potential semigroups (apart 
from braid groups) and parameters for which it is secure, when its security is 
based on the DH-DP or variants of the DH-DP. 
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